detection.wiki

Detection rules › Elastic

Privileged Accounts Brute Force

Author
Elastic
Source
upstream

Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1110 Brute Force, T1110.001 Brute Force: Password Guessing, T1110.003 Brute Force: Password Spraying

Event coverage

ProviderEvent IDTitle
Security-Auditing4625An account failed to log on.

Stages and Predicates

Stage 1: esql:from

Stage 2: esql:where

not winlog.event_data.Status:(0xc000005e or 0xc00000dc or 0xc0000133 or 0xc000015b or 0xc0000192) and not <macro:> and event.action:"logon-failed" and event.category:"authentication" and source.ip:* and winlog.computer_name:* and winlog.logon.type:"Network"

Stage 3: esql:eval

Stage 4: esql:stats

Stage 5: esql:where

Esql.count_distinct_user_name >= 2 and Esql.failed_auth_count >= 50

Stage 6: esql:eval

Stage 7: esql:keep

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1Statusin0xc000005e, 0xc00000dc, 0xc0000133, 0xc000015b, 0xc0000192

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Esql.count_distinct_user_namege
  • 2
Esql.failed_auth_countge
  • 50
event.actioneq
  • logon-failed corpus 3 (elastic 3)
event.categoryeq
  • authentication corpus 5 (elastic 5)
winlog.logon.typeeq
  • Network corpus 4 (elastic 4)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.